Using the Certificate Authority API

Viewing, creating and signing certificates

About the Certificate Authority API

The DC/OS Certificate Authority API allows you to view the TLS certificates used by DC/OS Enterprise, create Certificate Signing Requests (CSRs), and have the DC/OS CA sign CSRs.

Request and response format

The API supports JSON only. You must include application/json as your Content-Type in the HTTP header, as shown below.

Content-Type: application/json

Host name and base path

The host name will vary depending on where your app is running.

If your app will run outside of the DC/OS cluster, you should use the cluster URL. This can be obtained by launching the DC/OS web interface and copying the domain name from the browser. Alternatively, you can log into the DC/OS CLI and type dcos config show core.dcos_url to get the cluster URL. In a production environment, this should be the address of the load balancer which sits in front of your masters.

If your app will run inside of the cluster, use master.mesos.

Append /ca/api/v2/ to the host name, as shown below.

https://<host-name-or-ip>/ca/api/v2/

Authentication and authorization

If the endpoint you wish to access requires authentication, you will need an authentication token with one of the following permissions:

dcos:superuser

dcos:adminrouter:ops:ca:ro

dcos:adminrouter:ops:ca:rw

Obtaining an authentication token

Via the IAM API

To get an authentication token, pass the user name and password of a user with the necessary permissions in the body of a request to the /auth/login endpoint of the Identity and Access Management Service API. It returns an authentication token as shown below.

Via curl as a DC/OS CLI variable

Refreshing the authentication token

Authentication tokens expire after five days by default. If your program needs to run longer than five days, you will need a service account. Please see Provisioning custom services for more information.

API reference

Logging

While the API returns informative error messages, you may also find it useful to check the logs of the service. Refer to Service and Task Logging for instructions.